Tempest in Tempe: First Amendment in the Desert

Posted on February 10th, 2012 by Derek Bambauer

In the spirit of the excellent colloquy here about Marvin’s thinking on First Amendment architectures, I bring up this news item: Arizona State University blocked both Web access to, and e-mail from, the change.org Web site. ASU students had begun a petition demanding that the university reduce tuition. The university essentially made three claims as to why it did so (below, in order of increasing stupidity):

  1. It was a technical mistake;
  2. Change.org was spamming ASU; and
  3. ASU needs to “protect the use of our limited and valuable network resources for legitimate academic, research and administrative uses.”

#1 and #2 run together. If spam is the problem, you don’t need to block access to the Web site. However, if you are concerned that students are going to read the petition, and sign it, you do need to block access to the Web site.

For #2, sorry, ASU, this isn’t spam. Spam is unsolicited bulk commercial e-mailChange.org is, allegedly, sending unsolicited political e-mail. And that’s protected by the First Amendment – see, for example, the Virginia Supreme Court’s analysis of that state’s anti-spam law that covered political messages. Potential political spammers have a sharp disincentive to fill recipient’s inboxes – it’s a sure-fire way to annoy them into opposing your position.

For #3, ASU doesn’t get to determine what academic and research uses are “legitimate.” If they throttle P2P apps, that’s fine. If they limit file sizes for attachments, no problem. But deciding that the message from Change.org is not “legitimate” is classic, and unconstitutional, viewpoint discrimination.

This looks like censorship. I think it’s more likely to be stupidity: someone in ASU’s IT department decided to block these messages as spam, and to filter outbound Web requests to the site contained within those messages. But: with great power over the network comes great responsibility. Well-intentioned constitutional violations are still unlawful. It would also help if ASU’s spokesperson simply admitted the mistake rather than engaging in idiotic justification.

As I mention in Orwell’s Armchair, public actors are increasingly important sources of Internet access. But when ASU and other public universities take on the role of ISP, they need to remember that they are not AOL: their technical decisions are constrained not merely by tech resources, but by our commitment to free speech. Let’s hope the Sun Devils cool off on the filtering…

Cross-posted at Concurring Opinions.

No Comments »
Filed under: Digital Media, Filtering, First Amendment, Intermediaries, Internet & Society, ISP, Politics, Security, Spam

The Hardest Thing to Predict Is the Future

Posted on January 31st, 2012 by Derek Bambauer

SOPA and PROTECT IP are dead… for now. (They’ll be back. COICA is like a wraith inhabiting PROTECT IP.) Until then, Michelle Schusterman has a terrific graphic about the movie industry’s predictions of doom with each new technological revolution. (Ditto the music industry: the player piano, radio, CDs, the MP3 player, etc., etc.) One reason for this is that it’s difficult to predict the effects of a new communications technology. People thought we’d use the telephone to listen to concerts from afar. But another reason is that content industries see advances not as an opportunity but as a threat – a threat that they deploy IP law to combat, or at least control. And in a policy space where lawmakers don’t demand actual data on threats before acting, trumped-up assertions of job loss and revenue loss can carry the day. This puts the lie to the theory that IP owners will move to exploit new communications media, if only they are protected against infringement. We didn’t get viable Internet-based music sales until iTunes in 2003, and Spotify is the first serious streaming app (the “celestial jukebox“). Think about prior efforts like Pressplay and MusicNow, and how terrible they were. Letting the content industry design delivery models is like letting Matt Millen draft your football team.

This is why piracy is a helpful pointer: it tells us what channels consumers want to use to access content. Sometimes this is just displacement of lawful consumption, as when college students with copious disposable income download songs via BitTorrent, but sometimes it indicates an unaddressed market niche (as with me and the baseball playoffs). To paraphrase Thomas Jefferson, I think a little bit of infringement now and again is a good thing. It is only when there is a viable threat in a new medium that existing players innovate – or cut deals with those who do. In that regard, even if SOPA and PROTECT IP are effective at reducing infringement, we might not want them.

Cross-posted at Concurring Opinions.

No Comments »
Filed under: Apple, Copyright, Digital Media, Filtering, First Amendment, Intermediaries, Internet & Society, Media, Music, Politics, RIAA, Video

More Crap From the E.U.

Posted on January 25th, 2012 by Derek Bambauer

Guest post by Jane Yakowitz

Now that the European Union’s member states are flailing around attempting to implement their miserable cookie directive, the European Commission has decided it’s a good time to retard the Internet some more.

Today the European Commission will release an already-leaked new version of the Data Protection Directive which firmly establishes a European right to data erasure, or “right to be forgotten.” Article 17 will give EU residents an unprecedented inalienable right to control and delete facts that were once voluntarily communicated by the subject. Moreover, the right to erasure covers all publications of the personal information. As the preamble explains:

To strengthen the ‘right to be forgotten’ in the online environment, the right to erasure should also be extended in such a way that any publicly available copies or replications in websites and search engines should also be deleted by the controller who has made the information public.

The European Commission’s Vice President for Justice has clarified that the data deletion rule applies even to information that the data subject communicates herself on a public web forum like Facebook.

The right to be forgotten supposedly has some limits:

However, the further retention of the data should be allowed where it is necessary for historical, statistical and scientific research purposes, for exercising the right of freedom of expression, when required by law, or where there is a reason to restrict the processing of the data instead of erasing them.

But this exception is undermined both by the necessity language (when, exactly, is a single factum “necessary” for history or expression?) and by the downright draconian fines that are imposed for noncompliance. Article 79 instructs EU authorities to collect 1% of an enterprise’s annual revenue in fines for failure to comply with the right to be forgotten.

I am disappointed, but not surprised, to see the EU continue a misguided attack on the information economy. The right to be forgotten unequivocally favors the interests of the data subject, no matter how selfishly motivated, over the interests of data controllers and other consumers. Moreover, by making the right of erasure inalienable, the EU prevents its own citizens from participating in a business model that allows consumers to trade their information for stuff they want—convenience, discounts, or content. EU residents have no unencumbered information to sell.

The popular understanding in U.S. privacy discourse is that the EU does a better job protecting consumers from big corporations than the U.S. On the surface this looks right—after all, the regulations speak almost exclusively of “rights” granted to consumers, and almost exclusively of “obligations” imposed on business entities. But on closer inspection, Europe’s approach to information privacy is more emblematic of a desire to hold technology fixed, as if the amount of information people had about one another just before the advent of the Internet was the right amount for some reason. Sooner or later, the policies motivating the EU Data Protection Directive will prove to be counter-productive and regressive. The negative right against automated processing is a good example:

Every natural person should have the right not to be subject to a measure which is based on profiling by means of automated processing.

Article 20 gives every EU resident has an absolute right to stop a company from using predictive analytics concerning employment, creditworthiness, or health decisions. (These examples come straight from the text of the new regulations.) This sounds like a good deal for data subjects until one thinks for a moment about who the local losers would be. There are two possibilities. The opt-out might create a market for lemons where the person’s decision to opt out serves as a reliable signal of some sort of problem. This quite obviously cuts against the goals of the opt-out right.  Alternatively, opt-outs will simply muddy the predictive models for everybody. Credit, for example, will be extended to applicants who are slightly more likely to default. The lower income applicants who might have looked more were creditworthy in comparison will pay higher interest rates, if credit is extended at all. Hooray.

Allegedly, one of the motivations for amending the directive is to make consumers feel more comfortable with e-commerce.

Lack of trust makes consumers hesitate to buy online and adopt new services. This risks slowing down the development of innovative uses of new technologies. Personal data protection therefore plays a central role in the Digital Agenda for Europe.

Complete and utter hogwash. And it’s old hogwash, too. Consumer mistrust and timidity has been trotted out as a threat to e-commerce for as long as there have been public opinion surveys about the Internet. The theory refuses to die despite ample evidence to the contrary.  Now I am not suggesting that everything consumers do is per se good for them; law can and should occasionally force producers and service providers to take precautions that consumers would not choose to pay for if they could help it.  Information asymmetries and optimism bias are among the justifications. But the claim that consumers are shying away from Internet commerce and services does not comport with actual consumer behavior.

Google and other major Internet companies might want to start coordinating a protest similar to the effective campaign we saw here in the states in response to SOPA. If Google makes every person with the first name “John” ungoogleable for a day, and if online retailers refuse to access cookie data for a day, and if content providers double the amount of advertising for a day, pressure can build before the Directive comes to a vote.

For European Internet users, the deal is getting worse all the time. Pray the European Commissioners don’t alter it any further.

 

UPDATED: The draft that was released today is modified from the late November draft I used for my original post. The right to be forgotten is now found in Article 17, the right to object to processing is contained in Articles 19 and 20, and the Article 79 fines have been lowered from 3% to 1% of annual global revenues. I have edited this post accordingly. Here is the current draft.

10 Comments »
Filed under: Anonymity, Corporate Law, First Amendment, Google, Intermediaries, Internet & Society, ISP, Privacy

Cybersecurity Puzzles

Posted on January 24th, 2012 by Derek Bambauer

Cybersecurity is in the news: a network intrusion allegedly interfered with railroad signals in the Northwest in December; the Obama administration refused to support the Stop Online Piracy Act due to worries about interfering with DNSSEC; and the GAO concluded that the Department of Homeland Security is making things worse by oversharing. So, I’m fortunate that the Minnesota Law Review has just published the final version of Conundrum (available on SSRN), in which I argue that we should take an information-based approach to cybersecurity:

Cybersecurity is a conundrum. Despite a decade of sustained attention from scholars, legislators, military officials, popular media, and successive presidential administrations, little if any progress has been made in augmenting Internet security. Current scholarship on cybersecurity is bound to ill-fitting doctrinal models. It addresses cybersecurity based upon identification of actors and intent, arguing that inherent defects in the Internet’s architecture must be remedied to enable attribution. These proposals, if adopted, would badly damage the Internet’s generative capacity for innovation. Drawing upon scholarship in economics, animal behavior, and mathematics, this Article takes a radical new path, offering a theoretical model oriented around information, in distinction to the near-obsession with technical infrastructure demonstrated by other models. It posits a regulatory focus on access and alteration of data, and on guaranteeing its integrity. Counterintuitively, it suggests that creating inefficient storage and connectivity best protects user capabilities to access and alter information, but this necessitates difficult tradeoffs with preventing unauthorized interaction with data. The Article outlines how to implement inefficient information storage and connectivity through legislation. Lastly, it describes the stakes in cybersecurity debates: adopting current scholarly approaches jeopardizes not only the Internet’s generative architecture, but also key normative commitments to free expression on-line.

Conundrum, 96 Minn. L. Rev. 584 (2011).
Cross-posted at Concurring Opinions.

No Comments »
Filed under: Anonymity, Computer crime, Encryption, Intermediaries, international, Internet & Society, ISP, Minnesota, national security, NSA, Politics, Privacy, Scholarship, Security, Software

Why Scalia is Right in Jones: Magic Places and One-Way Ratchets

Posted on January 24th, 2012 by Derek Bambauer

The Supreme Court handed down its decision in U.S. v. Jones yesterday, and the blogosphere is abuzz about the case. (See Margot Kaminski, Paul Ohm, Howard Wasserman, Tom Goldstein, and the terrifyingly prolific Orin Kerr.) The verdict was a clean sweep – 9-0 for Jones – but the case produced three opinions, including a duel between Justices Antonin Scalia and Samuel Alito. Thus far, most privacy and constitutional law thinkers favor Alito’s position. That’s incorrect: Justice Scalia’s opinion is far more privacy protective. Here’s why: Read more…

2 Comments »
Filed under: Anonymity, Court Decisions, Politics, Privacy, Scholarship

Goldilocks and Cybersecurity

Posted on January 21st, 2012 by Derek Bambauer

It may seem strange in a week where Megaupload’s owners were arrested and SOPA / PROTECT IP went under, but cybersecurity is the most important Internet issue out there. Examples? Chinese corporate espionage. Cyberweapons like Stuxnet. Anonymous DDOSing everyone from the Department of Justice to the RIAA. The Net is full of holes, and there are a lot of folks expert in slipping through them.

I argue in a forthcoming paper, Conundrum, that cybersecurity can only be understood as an information problem. Conundrum posits that, if we’re worried about ensuring access to critical information on-line, we should make the Net less efficient – building in redundancy. But for cybersecurity, information is like the porridge in Goldilocks: you can’t have too much or too little. For example, there was recent panic that a water pump burnout in Illinois was the work of cyberterrorists. It turned out that it was actually the work of a contractor for the utility who happened to be vacationing in Russia. (This is what you get for actually answering your pager.)

The “too little” problem can be described via two examples. First, prior to the attacks of September 11, 2001, the government had information about some of the hijackers, but was impeded by lack of information-sharing and by IT systems that made such sharing difficult. Second, denial of service attacks prevent Internet users from reaching sites they seek – a tactic perfected by Anonymous. The problem is the same: needed information is unavailable. I think the solution, as described in Conundrum, is:

increasing the inefficiency with which information is stored. The positive aspects of both access to and alteration of data emphasize the need to ensure that authorized users can reach, and modify, information. This is more likely to occur when users can reach data at multiple locations, both because it increases attackers’ difficulty in blocking their attempts, and because it provides fallback options if a given copy is not available. In short, data should reside in many places.

But there is also the “too much” problem. This is exemplified by the water pump fiasco: after 9/11, the federal government, including the Department of Homeland Security, began a massive information-sharing effort, such as through Fusion Centers. The difficulty is that the Fusion Centers, and other DHS projects, are simply firehosing information onto companies who constitute “critical infrastructure.” Much of this information is repetitive or simply wrong – as with the water pump report. Bad information can be worse than none at all: it distracts critical infrastructure operators, breeds mistrust, and consumes scarce security resources. The pendulum has swung too far the other way: from undersharing to oversharing. Finding the “just right” solution is impossible; this is a dynamic environment with constantly changing threats. But the government hasn’t yet made the effort to synthesize and analyze information before sounding the alarm. It must, or we will pay the price of either false alarms, or missed ones.

(A side note: I don’t put much stock in which federal agency takes the lead on cybersecurity – there are proposals for the Department of Defense, or the Department of Energy, among others – but why has the Obama administration delegated responsibility to DHS? Having the TSA set Internet policy hardly seems sensible. Beware of Web-based snow globes!)

Cross-posted at Concurring Opinions.

No Comments »
Filed under: badware, Computer crime, Digital Media, Encryption, Impersonation, Intermediaries, international, Internet & Society, Media, national security, NSA, Privacy, Scholarship, Security, Software

Censorship on the March

Posted on January 18th, 2012 by Derek Bambauer

Today, you can’t get to The Oatmeal, or Dinosaur Comics, or XKCD, or (less importantly) Wikipedia. The sites have gone dark to protest the Stop Online Piracy Act (SOPA) and the PROTECT IP Act, America’s attempt to censor the Internet to reduce copyright infringement. This is part of a remarkable, distributed, coordinated protest effort, both online and in realspace (I saw my colleague and friend Jonathan Askin headed to protest outside the offices of Senators Charles Schumer and Kirstin Gillibrand). Many of the protesters argue that America is headed in the direction of authoritarian states such as China, Iran, and Bahrain in censoring the Net. The problem, though, is that America is not alone: most Western democracies are censoring the Internet. Britain does it for child pornography. France: hate speech. The EU is debating a proposal to allow “flagging” of objectionable content for ISPs to ban. Australia’s ISPs are engaging in pre-emptive censorship to prevent even worse legislation from passing. India wants Facebook, Google, and other online platforms to remove any content the government finds problematic.

Censorship is on the march, in democracies as well as dictatorships. With this movement we see, finally, the death of the American myth of free speech exceptionalism. We have viewed ourselves as qualitatively different – as defenders of unfettered expression. We are not. Even without SOPA and PROTECT IP, we are seizing domain names, filtering municipal wi-fi, and using funding to leverage colleges and universities to filter P2P. The reasons for American Internet censorship differ from those of France, South Korea, or China. The mechanism of restriction does not. It is time for us to be honest: America, too, censors. I think we can, and should, defend the legitimacy of our restrictions – the fight on-line and in Congress and in the media shows how we differ from China – but we need to stop pretending there is an easy line to be drawn between blocking human rights sites and blocking Rojadirecta or Dajaz1.

Cross-posted at <a href="Today, you can't get to The Oatmeal, or Dinosaur Comics, or XKCD, or (less importantly) Wikipedia. The sites have gone dark to protest the Stop Online Piracy Act (SOPA) and the PROTECT IP Act, America’s attempt to censor the Internet to reduce copyright infringement. This is part of a remarkable, distributed, coordinated protest effort, both online and in realspace (I saw my colleague and friend Jonathan Askin headed to protest outside the offices of Senators Charles Schumer and Kirstin Gillibrand). Many of the protesters argue that America is headed in the direction of authoritarian states such as China, Iran, and Bahrain in censoring the Net. The problem, though, is that America is not alone: most Western democracies are censoring the Internet. Britain does it for child pornography. France: hate speech. The EU is debating a proposal to allow “flagging” of objectionable content for ISPs to ban. Australia’s ISPs are engaging in pre-emptive censorship to prevent even worse legislation from passing. India wants Facebook, Google, and other online platforms to remove any content the government finds problematic.

Censorship is on the march, in democracies as well as dictatorships. With this movement we see, finally, the death of the American myth of free speech exceptionalism. We have viewed ourselves as qualitatively different – as defenders of unfettered expression. We are not. Even without SOPA and PROTECT IP, we are seizing domain names, filtering municipal wi-fi, and using funding to leverage colleges and universities to filter P2P. The reasons for American Internet censorship differ from those of France, South Korea, or China. The mechanism of restriction does not. It is time for us to be honest: America, too, censors. I think we can, and should, defend the legitimacy of our restrictions – the fight on-line and in Congress and in the media shows how we differ from China – but we need to stop pretending there is an easy line to be drawn between blocking human rights sites and blocking Rojadirecta or Dajaz1.

Cross-posted at Concurring Opinions.

1 Comment »
Filed under: Copyright, Digital Media, Education & Copyright, Filtering, First Amendment, Google, Intermediaries, Internet & Society, ISP, Media, Music, Politics, RIAA, Scholarship, Search Engines, Social Networking, Video

The Fight For Internet Censorship

Posted on January 16th, 2012 by Derek Bambauer

Thanks to Danielle and the CoOp crew for having me! I’m excited.

Speaking of exciting developments, it appears that the Stop Online Piracy Act (SOPA) is dead, at least for now. House Majority Leader Eric Cantor has said that the bill will not move forward until there is a consensus position on it, which is to say, never. Media sources credit the Obama administration’s opposition to some of the more noxious parts of SOPA, such as its DNSSEC-killing filtering provisions, and also the tech community’s efforts to raise awareness. (Techdirt’s Mike Masnick has been working overtime in reporting on SOPA; Wikipedia and Reddit are adopting a blackout to draw attention; even the New York City techies are holding a demonstration in front of the offices of Senators Kirstin Gillibrand and Charles Schumer. Schumer has been bailing water on the SOPA front after one of his staffers told a local entrepreneur that the senator supports Internet censorship. Props for candor.) I think the Obama administration’s lack of enthusiasm for the bill is important, but I suspect that a crowded legislative calendar is also playing a significant role.

Of course, the PROTECT IP Act is still floating around the Senate. It’s less worse than SOPA, in the same way that Transformers 2 is less worse than Transformers 3. (You still might want to see what else Netflix has available.) And sponsor Senator Patrick Leahy has suggested that the DNS filtering provisions of the bill be studied – after the legislation is passed. It’s much more efficient, legislatively, to regulate first and then see if it will be effective. A more cynical view is that Senator Leahy’s move is a public relations tactic designed to undercut the opposition, but no one wants to say so to his face.

I am not opposed to Internet censorship in all situations, which means I am often lonely at tech-related events. But these bills have significant flaws. They threaten to badly weaken cybersecurity, an area that is purportedly a national priority (and has been for 15 years). They claim to address a major threat to IP rightsholders despite the complete lack of data that the threat is anything other than chimerical. They provide scant procedural protections for accused infringers, and confer extraordinary power on private rightsholders – power that will, inevitably, be abused. And they reflect a significant public choice imbalance in how IP and Internet policy is made in the United States.

Surprisingly, the Obama administration has it about right: we shouldn’t reject Internet censorship as a regulatory mechanism out of hand, but we should be wary of it. This isn’t the last stage of this debate – like Wesley in The Princess Bride, SOPA-like legislation is only mostly dead. (And, if you don’t like the Obama administration’s position today, just wait a day or two.)

Cross-posted at Concurring Opinions.

No Comments »
Filed under: civil procedure, Copyright, Digital Media, Filtering, First Amendment, Google, Intermediaries, international, Internet & Society, Network Neutrality, Politics, RIAA, Scholarship, Search Engines

Transparency, Internet Freedom, and IP

Posted on January 4th, 2012 by Derek Bambauer

On Saturday, January 7, at 8:30AM (yes, that’s early, bring coffee), I’ll be speaking on a panel on Governmental Transparency in the Digital Age, run by the National Security Section of the AALS. It’s in Delaware Suite B on the lobby level of the Marriott Wardman Park Hotel. In addition to having painful flashbacks to the AALS Meat Market, I’ll be discussing the lack of transparency in Internet and IP policymaking under the Obama administration. Hope to see you there!

No Comments »
Filed under: Copyright, Court Decisions, Digital Media, Education & Copyright, Filtering, First Amendment, Intermediaries, international, Internet & Society, ISP, Law School, national security, Network Neutrality, Politics, RIAA, Scholarship, Security

Breaking the Net

Posted on December 19th, 2011 by Derek Bambauer

Mark Lemley, David Post, and Dave Levine have an excellent article in the Stanford Law Review Online, Don’t Break the Internet. It explains why proposed legislation, such as SOPA and PROTECT IP, is so badly-designed and pernicious. It’s not quite clear what is happening with SOPA, but it appears to be scheduled for mark-up this week. SOPA has, ironically, generated some highly thoughtful writing and commentary – I recently read pieces by Marvin Ammori, Zach Carter, Rebecca MacKinnon / Ivan Sigal, and Rob Fischer.

There are two additional, disturbing developments. First, the public choice problems that Jessica Litman identifies with copyright legislation more generally are manifestly evident in SOPA: Rep. Lamar Smith, the SOPA sponsor, gets more campaign donations from the TV / movie / music industries than any other source. He’s not the only one. These bills are rent-seeking by politically powerful industries; those campaign donations are hardly altruistic. The 99% – the people who use the Internet – don’t get a seat at the bargaining table when these bills are drafted, negotiated, and pushed forward.

Second, representatives such as Mel Watt and Maxine Waters have not only admitted to ignorance about how the Internet works, but have been proud of that fact. They’ve been dismissive of technical experts such as Vint Cerf – he’s only the father of TCP/IP – and folks such as Steve King of Iowa can’t even be bothered to pay attention to debate over the bill. I don’t mind that our Congresspeople are not knowledgeable about every subject they must consider – there are simply too many – but I am both concerned and offended that legislators like Watt and Waters are proud of being fools. This is what breeds inattention to serious cybersecurity problems while lawmakers freak out over terrorists on Twitter. (If I could have one wish for Christmas, it would be that every terrorist would use Twitter. The number of Navy SEALs following them would be… sizeable.) It is worrisome when our lawmakers not only don’t know how their proposals will affect the most important communications platform in human history, but overtly don’t care. Ignorance is not bliss, it is embarrassment.

Cross-posted at Prawfsblawg.

No Comments »
Filed under: Copyright, Digital Media, Filtering, First Amendment, Google, Intermediaries, international, Internet & Society, ISP, Media, Music, national security, Politics, RIAA, Scholarship, Search Engines, Security, Software

Next Page »

Bad Behavior has blocked 19 access attempts in the last 7 days.